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Data Output Method, System and Apparatus 

Field of the Invention 

The present invention relates to a method, system and apparatus for 
5 outputting data to a removable storage medium and, in particular, but not 
exclusively to data output by printing. 

Background of the Invention 

A number of different techniques have been developed to minimise 
10 unauthorised access to data held on a computer apparatus or to data 
transmitted between computer apparatuses. 

However, should a user print confidential information to a remote printer this 
can result in the confidential information being accessible to anyone who has 
1 5 access to the printer, which for mobile users can be particularly undesirable. 

One solution to this problem has been to use a printer spooler, within a printer 
server, which will only deliver a job to a printer, for printing, if the recipients of 
the job authenticate themselves to the printer spooler. However, this requires 
20 specific configuration of a printer spooler, which as a result can limit the 
conditions under which a document can be printed. 

It is desirable to improve this situation. 

25 Embodiments of the present invention to be described hereinafter make use 
of a cryptographic technology known as identifier-based encryption. 
Accordingly, a brief description will now be given of this type of encryption. 

Identifier-Based Encryption (IBE) is an emerging cryptographic schema. In 
30 this schema (see Figure 1 of the accompanying drawings), a data provider 10 
encrypts payload data 13 using both an encryption key string 14, and public 
data 15 provided by a trusted authority12. This public data 15 is derived by 
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the trusted authority 12 using private data 17 and a one-way function 18. The 
data provider 10 then provides the encrypted payload data <13> to a 
recipient 11 who decrypts it, or has it decrypted, using a decryption key 
computed by the trusted authority 12 in dependence on the encryption key 
5 string and its own private data. 

A feature of identifier-based encryption is that because the decryption key is 
generated from the encryption key string, its generation can be postponed 
until needed for decryption. 

10 

Another feature of identifier-based encryption is that the encryption key string 
is cryptographically unconstrained and can be any kind of string, that is, any 
ordered series of bits whether derived from a character string, a serialized 
image bit map, a digitized sound signal, or any other data source. The string 

15 may be made up of more than one component and may be formed by data 
already subject to upstream processing. In order to avoid cryptographic 
attacks based on judicious selection of a key string to reveal information about 
the encryption process, as part of the encryption process the encryption key 
string is passed through a one-way function (typically some sort of hash 

20 function) thereby making it impossible to choose a cryptographically- 
prejudicial encryption key string. In applications where defence against such 
attacks is not important, it would be possible to omit this processing of the 
string. 

25 Frequently, the encryption key string serves to "identify" the intended 
message recipient and the trusted authority is arranged to provide the 
decryption key only to this identified intended recipient. This has given rise to 
the use of the label "identifier-based" or "identity-based" generally for 
cryptographic methods of the type under discussion. However, depending on 

30 the application to which such a cryptographic method is put, the string may 
serve a different purpose to that of identifying the intended recipient. 
Accordingly, the use of the term "identifier-based" or "IBE" herein in relation 
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to cryptographic methods and systems is to be understood simply as implying 
that the methods and systems are based on the use of a cryptographically 
unconstrained string whether or not the string serves to identify the intended 
recipient. Generally, in the present specification, the term "encryption key 
5 string" or "EKS" is used rather than "identity string" or "identifier string" ; the 
term "encryption key string" is also used in the shortened form "encryption 
key" for reasons of brevity. 

A number of IBE algorithms are known and Figure 2 indicates, for three such 
10 algorithms, the following features, namely: 

- the form of the encryption parameters 5 used, that is, the encryption key 
string and the public data of the trusted authority (TA); 

- the conversion process 6 applied to the encryption key string to prevent 
attacks based on judicious selection of this string; 

15 - the primary encryption computation 7 effected; 

- the form of the encrypted output 8. 

The three prior art IBE algorithms to which Figure 2 relates are: 

Quadratic Residuosity (QR) method as described in the paper: C. 
Cocks, "An identity based encryption scheme based on quadratic 
20 residues", Proceedings of the 8 th IMA International Conference on 
Cryptography and Coding, LNCS 2260, pp 360-363, Springer-Verlag, 
2001 . A brief description of this form of IBE is given hereinafter. 

- Bilinear Mappings p using, for example, a Tate pairing t or modified Weil 
pairing e. Thus, for the modified Weil pairing: 

25 e: Gi x d > G 2 

where Gi and G2 denote two algebraic groups of prime order q and G 2 is a 
subgroup of a multiplicative group of a finite field. The Tate pairing (to 
which the example given in Figure 2 specifically relates) can be similarly 
expressed though it is possible for it to be of asymmetric form: 

30 f: G-i x G 0 > G 2 
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where G 0 is a further algebraic group the elements of which are not 
restricted to being of order q. Generally, the elements of the groups Go 
and Gi are points on an elliptic curve though this is not necessarily the 
case. A description of this form of IBE method, using modified Weil 
5 pairings is given in the paper: D. Boneh, M. Franklin - "Identity-based 
Encryption from the Weil Pairing" in Advances in Cryptology - CRYPTO 
2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001. 

- RSA-Based methods The RSA public key cryptographic method is well 
known and in its basic form is a two-party method in which a first party 

10 generates a public/private key pair and a second party uses the first 
party's public key to encrypt messages for sending to the first party, the 
latter then using its private key to decrypt the messages. A variant of the 
basic RSA method, known as "mediated RSA", requires the involvement of 
a security mediator in order for a message recipient to be able to decrypt 

15 an encrypted message. An IBE method based on mediated RSA is 
described in the paper "Identity based encryption using mediated RSA", 
D. Boneh, X. Ding and G. Tsudik, 3rd Workshop on Information Security 
Application, Jeju Island, Korea, Aug, 2002. 

20 Summary of the Invention 

In accordance with a first aspect of the present invention there is provided a 
system comprising: 

- an output device for outputting data onto a removable storage medium; 

- a first computing entity arranged to encrypt a first data set based on 
25 encryption parameters comprising public data of a trusted party and an 

encryption key string comprising a second data set that defines a policy for 
allowing the output of the first data set onto a said removable storage 
medium, the first computing entity being further arranged to output the 
encrypted first data set for the output device; and 
30 - a second computing entity associated with the trusted party and arranged 
when satisfied that said policy has been met, to output for the output 
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device a decryption key for use in decrypting the encrypted first data set, 
the second computing entity being arranged to generate this decryption 
key in dependence on the encryption key string and private data related to 
said public data; 

5 the output device being arranged to use the decryption key in decrypting the 
encrypted first data set. 

The output device is, for example, a printer. 

10 In accordance with a second aspect of the present invention there is provided 
a data output method comprising the steps of: 

(a) encrypting a first data set based on encryption parameters comprising 
public data of a trusted party and an encryption key string comprising a 
second data set that defines a policy for allowing the output of the first 

15 data set to a removable storage medium, 

(b) providing the encrypted first data set to an output deviceadapted to output 
data to a removable storage medium; 

(c) at the trusted party checking that said policy has been satisfied and 
thereafter providing the output device with a decryption key for use in 

20 decrypting the encrypted first data set, this decryption key being generated 
in dependence on the encryption key string and private data related to said 
public data; and 

(d) at the output device using the decryption key in decrypting the encrypted 
first data set and outputting the first data set to a removable recording 

25 medium . 

In accordance with a third aspect of the present invention there is provided 
printing apparatus including: 

- means for receiving both an encryption key string comprising policy data 
30 defining a policy for allowing the printing of payload data, and said payload 
encrypted based on encryption parameters comprising public data of a 
trusted party and said encryption key string; 
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- means for providing the encryption key string to the trusted authority and 
for receiving back a decryption key; and 

- means for using the received decryption key in decrypting the encrypted 
payload data for printing. 

5 

Brief Description of the Drawings 

For a better understanding of the present invention and to understand how 
the same may be brought into effect reference will now be made, by way of 
example only, to the accompanying drawings, in which :- 
10 . Figure 1 is a diagram illustrating the operation of a prior art encryption 

schema known as Identifier-Based Encryption (IBE); 
. Figure 2 is a diagram illustrating how certain IBE operations are 

implemented by three different prior art IBE methods; 
. Figure 3 is a diagram illustrating a system according to a first 
1 5 embodiment of the present invention; 

. Figure 4 is a diagram illustrating a system according to a second 

embodiment of the present invention; and 
. Figure 5 is a diagram illustrating a system according to a third 

embodiment of the present invention. 

20 

Best Mode of Carrying Out the Invention 

The embodiments described below all generally provide a printing system that 
is arranged, using identifier based encryption, to ensure that where a job is 
sent to a printer, it can only be printed in cleartext if a policy associated with 

25 the job has been satisfied, this policy specifying one or more conditions, such 
as verification constraints to be satisfied and notifications to be made. More 
particularly, the job is encrypted for sending to the printer using an IBE 
encryption key string that is based on the policy; to decrypt the job, the printer 
must obtain the corresponding IBE decryption key from a trusted authority that 

30 is responsible for checking that the policy has been satisfied. As will be 
described below, it is possible to involve more than one trusted authority in 
this process, each responsible for checking that one or more conditions have 
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been met; in this case, the policy can be divided into sub-policies with each 
trusted authority only checking the relevant sub-policy, or multiple separate 
policies can be provided, one for each trusted authority. 

5 First Embodiment The first embodiment is shown in Figure 3 and comprises a 
first computing entity 20, a second computing entity 21 and a printer 30, all 
connected via a network 40, for example the Internet. 

The first computing entity 20 represents a user 50 and the second computing 
10 entity 21 represents a trusted authority 60. 

The first and second computing entities 20, 21 are, for example, based on 
conventional program-controlled processors (possibly with specific hardware 
for implementing cryptographic processes) as are well known to a person 

15 skilled in the art. As used herein, the term "computing entity" refers to a 
distinct functional element but this is not to be taken as excluding the 
possibility of the same computer apparatus serving as the basis of two or 
more computing entities with the specific functionality of each such entity 
being provided by corresponding program processes running on the 

20 apparatus. 

The first computing entity 20 includes a processor 70 that is arranged to allow 
the generation of a printing policy that stipulates the requirements for allowing 
the printing of a document, for example a policy could stipulate that a 
25 document may only be printed at a specific printer. The policy can be 
expressed in any suitable form, for example XML format. 

Additionally or alternatively, however, the first computing entity 20 could 
receive the printing policy from an external source, for example, from the 
30 trusted authority 60, via the network 40. 
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Once the policy has been generated, or received, by the first computing entity 
20 the processor 70 is arranged to use the policy, or a representation of the 
policy, as an encryption key string in an I BE (Identifier-Based Encryption) 
process for encrypting the document to be printed. 

5 

Once the document has been encrypted, it is forwarded via the network 40 to 
the printer 30. Typically, if the policy has been generated by the user 50, the 
policy is also forwarded to the printer 30 with the encrypted document. 

10 The printer 30 includes an interface 80 for coupling the printer 30 to the 
network 40 and a processor 90. 

Associated with the printer 30 is local printer information that includes device 
identity, serial number, location, etc. 

15 

On receipt of the encrypted document by the printer 30, the processor 90 is 
arranged, via the interface 80 and network 40, to contact the trusted authority 
60 to request an associated decryption key to allow the printer 30 to decrypt 
the received encrypted document. Additionally, the processor 90 is arranged 
20 to forward the related printing policy to the trusted authority 60 (assuming this 
policy has been provided to the printer by the user 50). 

On receipt by the trusted authority 60 of a request from the printer 30 for a 
decryption key, the trusted authority 60 determines if the trusted authority 60 

25 has the associated policy used to derive the encryption key. The trusted 
authority 60 will typically receive the policy via the printer 30, as described 
above, however other mechanisms could be established, for example the user 
50 could provide the policy to the trusted authority 60 directly. Alternatively, 
the trusted authority 60 could generate the relevant policy and provide it to the 

30 user 50 to allow the user 50 to encrypt the document, as described below. 
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On receipt of the request for a decryption key with the relevant policy, the 
trusted authority 60 determines whether the appropriate policy has been 
complied with. If the trusted authority 60 believes that the policy has been 
complied with, the trusted authority 60 generates an associated IBE 
5 decryption key using data corresponding to the encryption key string and 
forwards the decryption key to the printer 30 to enable the latter to decrypt the 
document. Of course, the trusted authority can generate the decryption key in 
parallel with, or even before, carrying out its determination as to whether the 
appropriate policy has been met provided that it defers providing the 
10 decryption key to the printer until satisfied that the policy has been met. 

A more detailed description will now be given of the IBE encryption/ 
decryption processes employed by the first embodiment, these processes 
being based, by way of example, on the use of bilinear maps It is to be 
15 understood, however, that other IBE processes can alternatively be used such 
as those based on on quadratic residue techniques, or on RSA techniques. 

In the following, Gi and G 2 denote two groups of prime order q in which the 
discrete logarithm problem is believed to be hard and for which there exists a 
20 computable bilinear map p expressed as: 
p : G-, x Gt ► G 2 

Gi is here assumed to be a group of points on an elliptic curve (though this is 
not necessarily the case) and G2 is a subgroup of a multiplicative group of a 
25 finite field ¥ q . Example computable bilinear maps are the Tate pairing and the 
Weil pairing (though, as is well known to persons skilled in the art, for 
cryptographic purposes, a modified form of the Weil pairing is used that 
ensure e (P,P) ^1 where Pe Gt). 

30 As the mapping between Gi and G2 is bilinear exponents/multipliers can be 
moved around. For example if a, b, c e ¥ q and P,Oe Gi then 
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p (aP, bQ) c = p (aP, cQ) b = p {bP, cQ) a = p (bP, aQf = p {cP, aQ) b = p (cP, 
bQf 

= p (abP, Q) c = p (abP, cQ) = p (P, abQf = p (cP, abQ) 

5 

= p (abcP, Q)=p (P, abcQ) = p (P, Q) abc 



To set up the system: a large (at least 512-bits) prime p is chosen such that p 
10 =2 mod 3 and p = Qq -1 for some prime q > 3; an elliptic curve, E, such as y 2 
= x 3 + 1 over F p is defined; and an arbitrary point, P, on E, i.e., P e E/F p of 
order g is chosen. 

Additionally, the following cryptographic hash functions are defined: 
15 ^{O.ir-^Fp; 

H 2 : Fp 2 -> {0,1}* for some security parameter k; 

H 3 :{0,V k x{0,V k -+Z* q , 

H 4 : {0,1}*-* {0,1}*. 



20 A public/private key pair is defined for the trusted authority 60 where the 
public key R is: R e G1 and the private key s is: s e ¥ q with R=sP e Gi. 



Additionally, this embodiment uses an identifier based public key Q )D / private 
key Sid pair where the Qi D , S )D e Gi and the trusted authority's public/private 
25 key pair (R,s) is linked with the identifier based public/private key by 
Sid = sQid and Q| D = MapToPoint (Hi (ID)) 
where ID is an identifier string (encryption key string). 

Given the hash function H,. {0,1}* -> F p , algorithm MapToPoint works as 
30 follows on input /-/-,(ID) = y 0 e F p : 

(1 ) Compute xo = (y 0 2 -1 ) 1/3 = (y 0 2 -1 f^ 1)/3 € F p . 
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(2) Let Q = (x 0 , y 0 ) e E/F p and set Q, D = 6Q e d. 

(3) Output MapToPoint(y 0 ) = Q /D . 



Identifier based encryption allows the holder of the private key S iD of an 
5 identifier (encryption key string) based key pair to decrypt a document sent to 
them encrypted using the associated public key Q| D - In the present case, the 
printing policy is used as the encryption key string to derive the public key Qi D , 
hereinafter referred to as Q pr i nt . Once this public key has been derived, the 
document m to be printed can be encrypted by performing the following 
10 computation. 

• Selects a random number a e {0,1 } k . 

• Computes r - H 3 (cr, m), where r is a random element that ensures 
only someone with the appropriate private key can decrypt the 
document, m. 

1 5 • Computes U = rP. 

• Computes g print = e(Q pnnt , R) e F p * . 

• Computes V= cy®H 2 {g m d- 

• Computes W = m 0 H 4 (o). 

• Sets the ciphertext to be C = {U, V, W). 
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As stated above the ciphertext, which corresponds to the encrypted 
document, m, is forwarded to the printer 30. 



The printer 30 contacts the trusted authority 60 to obtain the associated 
25 private key related to the public key Q pri nt. On being contacted, the trusted 
authority 60 checks that the printing policy on which Q prin t is based is satisfied 
and, if so, provides the user 50 with the appropriate private key. The 
appropriate private key, here called S pr i nt> is a combination of Q pri nt and the 
trusted authority's private key s, that is: 

30 S pr int = SQprint 
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On receipt of the private key Sprint the document is decrypted by the printer 
performing the following computation: 

• Tests U e Ef¥ p of order q; 

• Computes x = p (Sprint, U)\ 
5 • Computes <r= V© H 2 (x); 

• Computes m = W© H 4 (o); 

• Computes r= H 3 (cr, m); 

• Checks U = rP. 



10 It may be noted that in the above-noted variant where the trusted authority 60 
generates the relevant policy, if the user does not need to see the policy, then 
the trusted authority could simply provide the user 50 with O pr j n t rather than 
with the underlying printing policy (encryption key string); in either case, the 
encryption of the documents is still based on the encryption key string and the 

15 public key of the trusted authority. Conversely, where the user 50 has 
generated the policy, the user can provide not only the policy but also Qp ri nt to 
the trusted authority to save the latter having to recalculate this value; in either 
case, generation of the decryption key S pr jnt is effected in dependence on the 
encryption key string and the private key of the trusted authority. In both the 

20 foregoing situations where a party (user / trusted authority) receives Qprint 
rather than the encryption key string (printing policy), that party has to trust 
that the link between the policy and O pri nt has not been broken which would 
generally involve authentication and integrity checking with respect to the 
transfer of Q prin t. 

25 

In another variant of the first embodiment the second computing entity 21 that 
serves as the trusted authority 60 is incorporated into a portable device 60, 
such as a smartcard, that can only communicate with the printer 30 when the 
portable device is present at the printer. More specifically, the portable device 
30 is provided with a first communications interface and the printer has a 
complementary second communications interface, these interfaces being 
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such that communication between the trusted authority and printer can only 
take place when the interfaces are close to each other (for example, the 
interfaces can be designed to require physical interconnection or to provide 
for a short range (<10 meters) wireless connection). In this variant the 
5 portable device would typically be carried by a person having authority to print 
the data of interest so that the person would need to be present at the printer 
before the decryption key can be provided by the trusted authority to the 
printer. In this case, the printing policy need not require any specific condition 
to be checked though, preferably, the policy at least requires that the trusted 

10 authority authenticates his/herself in some way as being the authorized 
possessor of the portable device (such as by input of a PIN code). In one 
application of this variant, the authorized possessor of the portable device can 
request a document to be sent by the first computing entity 20 (which may be 
the possessor's home computing system, for example) in encrypted form to a 

15 printer 30 near the possessor who can be anywhere in the world; in this case, 
only the possessor of the portable device can enable decryption of the 
document by the printer. 

Second Embodiment The above embodiment can be expanded to include 
20 multiple trusted authorities where the decryption requires a decryption key 
from each of the individual trusted authorities. One embodiment of multiple 
trusted authorities is shown in Figure 4, which is based upon the system 
shown in Figure 3 with the addition of a third computing entity 100, where the 
third computing entity 100 acts as a second trusted authority 200, 
25 independent of the first trusted authority 60. 

As with the first trusted authority 60, the second trusted authority 200 has a 
unique public/private key pair. 

30 As described below, there is an independent printing policy associated with 
each trusted authority 60, 200, and a corresponding IBE public key Qp rin ti and 
Q P rint2 is formed from each policy. Each trusted authority 60, 200 generates a 
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private key S pr inti. S P rint2 corresponding to the respective public key, as 
described above. To send an encrypted document to the printer 30 the user 
50 encrypts the document with a combination of the printing-policy public keys 
Qprinti, Qpnnt2 associated with the trusted authorities 60, 200 respectively, and 
5 the respective public keys R 1f R 2 of these authorities. On receipt of the 
encrypted document the printer 30 decrypts the document with a combination 
of the private keys S pn nti, S P rmt2 associated with the respective policies; the 
printer 30 obtains the private keys Sprinti. S p rint2 from the trusted authorities 60, 
200 respectively with each trusted authority only releasing the related private 
10 key when satisfied that the associated printing policy has been satisfied. 

The second embodiment will now be described in more. 

The first trusted authority 60 has a public key Ri and a corresponding private 
15 key Si where /?i = SiP, with P being a point on an elliptic curve, as described 
above. 

The second trusted authority 200 has a public key R 2 and a corresponding 
private key s 2 where R 2 = s 2 P, with P being the same point on the elliptic 
20 curve as used by the first trusted authority. 

The user 50 defines a first and a second printing policy that are associated 
with the first and second trusted authorities 60, 200 respectively, that is to say 
with the first trusted authority 60 the user 50 has a first policy Printl, whilst 
25 with the second trusted authority 200 the user 50 had a second policy Print2. 

Using the first policy Printl as an IBE encryption key string, a first public key 
Qprinti is derived: 

Qpnnti = MapToPointHi (Printl) 
30 The trusted authority 60 can use this public key to generate a corresponding 
IBE decryption key: 
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Sprinti = s 1 Qprintl 

Similarly, using the second policy Print2 as an I BE encryption key string, a 
second public key Q pr int2 is derived: 

Qpnnt2 = MapToPointHi(Print2) 
5 The trusted authority 200 can use this public key to generate a corresponding 
IBE decryption key: 

Sprint2 = s 2Qprint2 



Using Q pr inti and Q pr int2, the user 50 encrypts a document m for sending to the 
10 printer 30 by generating ciphertext U, Vand W in steps in which it: 

• Selects a random number a e {0,1 } k . 

• Computes r = H 3 (<r, m). 

• Computes U = rP. 

• Computes gu = n ( i <i< 2) p (Q prinUl /?,) € F p 2 . 
15 • Computes V= a© H 2 (g prin /). 

• Computes W= m® H 4 (cr). 

• Sets the ciphertext to be C = (U, V, W). 



Decryption is performed by the printer by computing: 
20 • Tests U e E/Fp of order q; 

• Computes x-p (E (1 < f < 2) S pri nt/, U); 

• Computes a - V ® H 2 (x); 

• Computes m=W® H 4 (o-); 

• Computes r - H 3 (cr, m)\ 
25 • Checks U = rP. 

where the private (decryption) keys S prin ti and S pr int2 are provided to the printer 
30 on satisfactory compliance of the respective policy Printl , Print2. As will be 
appreciated, the message m can only be decrypted with knowledge of both 
private keys S prin ti and S prin t2. 
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Figure 5 depicts a specific example of the use of two trusted authorities, one 
of which is associated with a computing entity provided by computer 
apparatus that also acts as the computing entity for the encrypting party (the 
user 50 of Figure 4). More particularly, Figure 5 shows a bookshop 300 that 
5 includes a printer 310; first and second computing entities 320, 321 provided 
on the same computing platform and respectively acting as an encrypting 
entity for a book publisher 330 and as a first trusted authority 340 associated 
with the book publisher; and a third computing entity 350 associated with the 
printer manufacture and also acting as a second trusted authority 360. The 
10 printer 310, the first and second computing entities 320, 321 , and the second 
computing entity 350 are connected via a network 370, for example the 
Internet. 

The bookshop 300 allows customers to locally print books using the printer 
15 310. For each book, the book publisher 330 has used the computing entity 
320 to provide the bookshop 300 with an encrypted version of the book 
encrypted using a public key derived using respective policies for the two 
trusted authorities 340, 360, as described above. 

20 The first policy, intended for the first trusted authority 340 (i.e. the book 
publishers themselves), contains references to the book and the bookshop. 
The second policy requires that the second trusted authority 360 (i.e. the 
printer manufacture) confirm the integrity and operability of the printer 310 
before issuing an appropriate private key. 

25 

When a customer attempts to print a book the printer detects the two 
associated policies and sends each policy to the relevant trusted authority 
340, 360 to obtain the relevant private key required by the printer 310 to 
decrypt the book. Therefore, for a book to be printed off, the book publisher 
30 330 can be confident that the printer integrity has been checked by the printer 
manufacture and that the bookshop 300 has informed the book publisher 330 
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that the book has been printed, thereby allowing the book publisher 300 to 
charge the bookshop 300 for the printed book. 

It will be appreciated that the foregoing book publisher example can equally 
5 be applied to any document, not just books. 



Third Embodiment This embodiment (not illustrated) further expands the 
printing system to involve any number n of trusted authorities. The trusted 
10 authorities can be totally independent of each other and there is no need for 
any business relationship to exist between the trusted authorities, in fact the 
trusted authorities do not need to know each other. 

In this embodiment each trusted authority TAj (/= 1 n) respectively selects 

15 a random s, e O * q and set ft, = s,P. The user encrypts a document m e {0,1 } k 
for sending to the printer 30 using n public keys Q pnnt ; (/ = 1, n) each 
derived from a respective printing policy Print/ (/' = 1, n) e {0,1}* that is 
associated with a respective one of the trusted authorities. The printer 30 can 
decrypt the encrypted document if the printer 30 receives the n private keys 

20 Sprint/ (/ = 1 n), each issued by a respective one of the trusted authorities in 

dependence on the associated printing policy, that is: 

Sprint/ = S/Qprintf- 

More particularly, to encrypt a document, m, the user 50: 

25 • Computes a MapToPoint (Hi (Print/)) = Q prlnt/ - (/' = 1 n) e E/F p of 

order q. 

• Selects a random number a e {0,1}*. 

• Computes r = H 3 (o-, m), where r is a random element that ensures 
only someone with the appropriate private key can decrypt the 

30 document, m. 

• Computes U = rP. 
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• Computes gu, = n (i <;<„)P (Q prtnl/ , R) e F p * . 

• Computes V= o- ©H 2 (su,0- 

• Computes W= m ©H 4 (cr). 

• Sets the ciphertext to be C = (U, V, W). 

5 

To decrypt the message, m, the printer 30: 

• Tests U e EJ¥ P of order q; 

• Computes x = p (z (1 < ,• < n) S prtnU , U); 

• Computes <r= V®H 2 (x); 
10 • Computes m = W@ H 4 (o); 

• Computes r = H^a, m); 

• Checks U = rP. 
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It will be appreciated that many variants are possible to the above described 
embodiments of the invention. For example, the computing entity associated 
with at least one trusted authority can be incorporated into the same item of 
equipment as the printer itself, particularly where the role of this trusted 
20 authority is to check the integrity of the printer. 

Although the above-described embodiments all concern the printing of data of 
interest by a printer, it will be appreciated that instead of the output of the data 
of interest being effected by a printer as in the all the embodiments described 
25 above, an alternative out device can be used to record the data on a 
removable storage medium. For example, the data of interest can be output to 
a device for writing to a recordable CD-ROM disc or similar optically-readable 
storage medium. 
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Where multiple trusted authorities are involved, it is possible to use a single 
printing policy giving rise to a single public key Q pr \nt in which case 
computation of gfpnnt in the above-described third embodiment simplifies to: 

Sprint = P ( El s is n ^i, (Sprint) 

5 Such a single printing policy is likely to be divided into a respective sub-policy 
(comprising one or more conditions) associated with each trusted authority, 
each such authority being satisfied that the policy is satisfied if its associated 
sub-policy is met. 

10 Other ways of providing for the involvement of multiple trusted authorities are 
also possible. For example, the user can organise the document-to-be-printed 
as a number of data strings (say n strings) by using Shamir's secret sharing 
scheme, and then encrypt each string using the public data of a respective 
one of the trusted authorities and a corresponding printing policy. In order to 

15 recover the document in cleartext, the printer has to decrypt all of the strings 
by obtaining the appropriate decryption keys from the trusted authorities; it 
necessary to recover all strings because any n-1 strings or less cannot, 
according to Shamir's secret sharing scheme, disclose any information of the 
document. The Shamir secret sharing scheme also allows an implementation 

20 in which the participation of any t out of n share holders is sufficient to enable 
recovery of the secret. 

In an alternative arrangement of multiple trusted authorities each associated 
with a respective printing policy, the user uses the data encrypted in respect 
25 of one printing policy as the data to be encrypted in respect of the next 
printing policy, the encrypted data resulting from the encryption effected in 
respect of all printing policies then being sent to the printer for decryption in 
successive decryption operations using decryption keys obtained from the 
trusted authorities. 
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